At least two individuals from the same company (Host A and Host B) received the initial archive file from Lazarus. They tried more intense attacks against the initial target after a month. The VNC programs, a trojanized version of TightVNC known as "AmazonVNC.exe," were thought to be delivered as ZIP files and ISO images. In other instances, a malicious DLL contained in the ZIP file was side-loaded using a valid version of UltraVNC.

The DLL ("vnclang.dll") is a loader for a backdoor known as MISTPEN, which was discovered in September 2024 by Mandiant, a company owned by Google. Under the name UNC2970, it is monitoring the activity cluster. For its part, MISTPEN has been discovered to transmit two further payloads, a new version of LPEClient and another payload called RollMid. Researchers also saw the CookieTime malware being installed on Host A, though it's unclear exactly how this was made possible. CookieTime, so named because it uses encoded cookie values in HTTP requests to retrieve instructions from a command-and-control (C2) server, was initially identified by the company in September and November 2020.

The threat actor moved laterally from Host A to another machine (Host C) between February and June 2024, using CookieTime again to distribute other payloads, according to additional attack chain analysis. The manner each CookiePlus is executed differs between those loaded via Charamel Loader and ServiceChanger. The former contains the C2 information in its resources section and operates as a DLL alone. CookiePlus can obtain a C2 list from both an external file and an internal resource because the latter retrieves data from a different external file, such as msado.inc. The behavior remains the same otherwise.

When CookiePlus was originally discovered in the wild, it was posing as ComparePlus, an open-source Notepad++ plugin. This is how CookiePlus got its name. It has been discovered that the attacks against the nuclear-related entity were based on another project called DirectX-Wrappers. To obtain a Base64-encoded, RSA-encrypted payload from the C2 server, the malware acts as a downloader. The payload is thereafter decoded and deciphered to run a DLL or three distinct shellcodes. The shellcodes can gather system data and force the main CookiePlus module to slumber for a predetermined period.

Due to behavioral similarities between the two malware families, particularly the fact that both have masqueraded as Notepad++ plugins, CookiePlus is thought to be a successor of MISTPEN. The Lazarus Group has only ever used a few modular malware frameworks, namely Mata and Gopuram Loader, in its history. To avoid being discovered by security solutions, the organization is continuously improving its arsenal and infection chains, as evidenced by the introduction of new modular malware like CookiePlus.

Impact

• Cyber Espionage
• Unauthorized Access
• Information Theft

Indicators of Compromise

MD5

• cf8c0999c148d764667b1a269c28bdcb
• 80ab98c10c23b7281a2bf1489fc98c0d
• 4c4abe85a1c68ba8385d2cb928ac5646
• 00a2952a279f9c84ae71367d5b8990c1
• 5eac943e23429a77d9766078e760fc0b

SHA-256

• ba5f3bbe77eef8e730fde5f7ab493e4ed3d954b9fa70a234eda6fe3c2fc1d572
• 95dc085b0fea4a8d80df11ba1409a2df89ca97d980ba3dcf8e90d31e9d3fd533
• 6f9b79c20330a7c8ade8285866e5602bb86b50a817205ee3c8a466101193386d
• f5873ecd60390e7b86db5ddaf158ed201b386be26ad80af8a7da3576446520b8
• 58f2972c6a8fc743543f7b8c4df085c5cf2c6e674e5601e85eec60cd269cfb3c

SHA1

• 0d17d477207d717f4e1be67e96c925aae473109d
• 1876e829b675e86e950f2e701ab9b2c4a56b4817
• 8edcd1d8d390d61587d334f4527e569a5bdf915c
• 57d60872a6239449116c9c609838906cec923ef5
• 2a900fbfdd65dafe6fadc4d5706e151c8b72230a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.